Bug Data Buys Businesses Intel From U.S. Government

Thousands of businesses are reportedly exchanging information with the government on zero-day vulnerabilities and online threats in return for classified intelligence.

(click image for larger view)

The Syrian Electronic Army: 9 Things We Know

Thousands of American businesses -- technology manufacturers, information security vendors, banks, satellite telecommunications providers and many others -- share threat intelligence with U.S. intelligence agencies, including details of secret zero-day vulnerabilities. In exchange, they receive access to classified intelligence, including early warnings on any attacks that have been detected that may target their networks or intellectual property, as well as where the attacks originated.

These information-sharing arrangements between businesses -- known in government parlance as "trusted partners" -- and the National Security Agency (NSA), CIA, FBI, U.S. military and other government agencies was first reported Thursday by Bloomberg. The revelations suggest that U.S. intelligence agencies' Internet monitoring programs extend far beyond the handful of secret projects detailed by recently leaked NSA documents.

Information published last week, based on secret documents leaked by former NSA contractor Edward Snowden, detailed the existence of a program to intercept metadata -- phone numbers, call duration, approximate geographical location -- on millions of U.S. cell phone subscribers. The leaked information also detailed Prism, which is an arrangement between the NSA's Special Source Operations unit program and nine U.S. Internet companies -- including Facebook, Google, Microsoft and Yahoo -- that targets foreign voice, email and video communications.

Another secret NSA project made public by Snowden's leaked information was Blarney, which according to the Washington Post is "an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks" by targeting network backbones. Blarney collects metadata for computers being used to send emails or browse the Internet. The collected metadata includes the device's operating system, the browser being used as well as Java software version. Using that information would provide an intelligence agency with a shortcut to infiltrating any of those systems, for example by targeting known vulnerabilities in the browser or Java client.

Some of the shared information reportedly includes zero-day vulnerability details. Microsoft, for example, reportedly participates in the trusted-partner program, and shares information of vulnerabilities in its products with the government, before releasing those details -- or related fixes -- to business partners or the public. Such information could be used not only to proactively secure government computers against attack, but also to infiltrate foreign systems.

But two government officials, speaking anonymously to Bloomberg, said that while Microsoft is aware that the information it divulges can be used to target its foreign customers, legally speaking it's not allowed to ask -- and can't be told -- how the government might us this information. A Microsoft spokesman didn't immediately respond to an emailed request for comment about the full extent of its vulnerability-information-sharing arrangements with the U.S. government.

The Microsoft Active Protections Program (MAPP) counts a number of businesses and government organizations as participants, and gives them early information on vulnerabilities, in part to allow security firms to offer virtual patches against the bugs prior to their being detailed publicly. But the alleged information sharing between Microsoft and intelligence agencies would occur prior to bug information being distributed via MAPP.

One critical, legal point is that unlike some U.S. government interception programs -- such as Prism -- trusted partners aren't necessarily at the receiving end of a court order or National Security Letter, which can legally not only force their participation but also silence. Instead, the trusted partner program appears to be voluntary, and includes manufacturers providing detailed information about their hardware and software to the U.S government, although they appear to be sharing no customer information.

Likewise, many telecommunications companies reportedly give U.S. intelligence agencies direct access to their offshore data centers and other facilities, which is both legal and which exempts any resulting information intercepts from oversight under the Foreign Intelligence Surveillance Act.

The former director of the NSA and CIA, Michael Hayden, told Bloomberg that this information sharing would be invaluable. "If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful," he said.

To create these types of relationships, intelligence agencies reportedly first approach one key executive, who then handpicks a few trusted IT administrators to help. "You would keep it closely held within the company and there would be very few cleared individuals," Hayden said. Businesses sometimes also request immunity from any civil suits that might result from their information sharing.

Government officials told Bloomberg that Google co-founder Sergey Brin received a temporary clearance so that he could be briefed on what came to be known as the Operation Aurora advanced persistent threat (APT) attacks against Google. The attacks were reportedly traced to a Chinese People's Liberation Army cyber-attack unit that specialized in launching APT attacks. Based on the documents leaked by Snowden, at that point, Google would have been part of the Prism program for more than a year.

Google CEO Larry Page last week said in a statement that he'd never heard of Prism, denied giving the U.S. government direct access to any Google servers and said the company only shared data with governments "only in accordance with the law."

A Google spokesman didn't immediately respond to a request for comment about Google's information-sharing arrangements with the U.S. government.

But in the face of a potential backlash from domestic and overseas customers, Google, Facebook, Microsoft and Twitter have recently petitioned the Department of Justice and FBI, requesting that they be allowed to publicly detail the ways in which they share information with the U.S. government.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.